The next frontier of cyber governance: Achieving resilience in the wake of NotPetya
Earlier this week, several European nations experienced a widespread ransomware attack. Major international giants, such as Merck, WPP, Rosneft, and AP Moller-Maersk, alongside financial institutions, banks, energy companies and more were affected, where users were locked out of computers. The focus of the attack was Europe, but it was also discovered that DLA Piper, a massive U.S. headquartered law firm, was hit by this new strain of ransomware.
First reports attributed the attack to the WannaCry-like Petya ransomware, but Kaspersky Lab later discovered that the cause is a previously unknown NotPetya strain that had hit users across the Ukraine, Russia, France, Germany, Italy, Poland, the UK, and the U.S. It’s clear the WannaCry attack in May was just the beginning, as this week’s attack marks yet another crime scene with substantial evidence that global economies are at massive risk.
Reliance on connected devices and computers, coupled with the lack of government-mandated and incentivized cyber defense for both public and private sectors, poses an intimidating threat to the world’s economy.
It’s imperative to impress upon organizations the vital need for a more organized, transparent and incentivized cyber defense system to halt the outbreak of devastating cyber attacks across the globe. Understanding that need is step one, but making actionable solutions a reality is the next frontier.
Here’s how organizations can get ahead of existential threats and lead the charge in the next frontier of cyber governance:
Create a cyber-conscious culture
It should be clear by now that cybersecurity is no longer just an IT issue. We aren’t facing a breakdown in technology; what we are seeing is a failure to put the right people, processes, and policies in place to minimize internal vulnerabilities to cyber attacks. Most perimeter defense and network disruption detection technologies do their job effectively, but that does not protect organizations from vulnerabilities associated with human error and lack of adequate training. Effective cybersecurity must involve the entire organization and be engrained in the cultural in all corners of an organization. Engaging and training the greater workforce, not just the IT department, is critical in supporting CISOs and mitigating cyber risk.
Implement mandates and incentives
The U.S. is on the right path to achieving national cyber resiliency with the launch of the Cybersecurity of Federal Networks Executive Order (EO), deferring to the NIST Cybersecurity Framework gold standard, and the New York Department of Financial Services cybersecurity regulations. These mandates are a step in the right direction, and even the lesser-known SAFETY Act from the Department of Homeland Security is another decree of liability protection, offering designations to technology vendors deemed “anti-terrorism.” Companies suffering from a cyberterrorism attack would be protected if utilizing a SAFETY Act designated technology. The European Union has also implemented the NIS Directive, which is the first piece of EU-wide legislation on cybersecurity.
Federal governments must do better to incentivize these mandates and protections, all while balancing a general aversion to regulation from some industries, like utilities and energy. However, organizations should also mandate and incentivize their own internal training programs to raise awareness of common internal risk factors, ensuring successful risk mitigation from the top-down.
Accountability standards must be upheld should organizations, or the individuals within them, fail to comply with national requirements for cyber defense and mitigation. Those standards, as outlined in the EO and NIS Directive, have launched the U.S. and EU’s first push into mandatory compliance for federal agencies, versus purely voluntary or recommended cybersecurity best practices shared government entities in the past.
If the mandates’ compliance requirements are upheld or maintained, agency heads and organizational leaders will be held liable for future attacks, both legally and financially. This means it is their fiduciary duty to ensure everyone in the organization is equipped to identify, assess and mitigate risks. There is less structure on accountability in the commercial arena, often wrongfully blaming CISOs for any successful breach when, in fact, every department and employee should be held to a level of accountability in protecting the enterprise from the inside, out.
Streamline protection of the whole, not just the parts
While regulations like the EO and NIS Directive are steps in the right direction, they do pose some consistency and reporting challenges to the nation’s overall cybersecurity posture. Individual agencies are responsible for their own measurement, reporting and mitigation plans, but it’s a heavy burden when looking at it in the full-portfolio context of a nation’s cyber defense maturity.
Nations needs to find a balance between public and private sector cybersecurity regulation, where a consistent and unified defense program can be referenced, implemented, measured, and maintained across agencies, enterprises and individuals. Vulnerability in any part of the cybersecurity chain poses risks to the entire portfolio.
As attacks continue to strike on a global scale, it is likely that government leaders will begin moving toward nation-wide regulatory standards to protect the portfolio as an autonomous unit. Organizations that begin implementing standardized cybersecurity systems under frameworks like NIST or ISO will be a step ahead of this charge – not to mention better prepared to proactively defend against evolving cyber threats, rather than waiting for another devastating attack to foray in our public and private sectors.